1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a

General

Target

1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe
Size

770KB
MD5

9a8412ae8a129a60a294548aa291168f
SHA1

1246db1fce69ceb5dbbb32a100d4c7d91dc6c606
SHA256

1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a
SHA512

38a5f5370e320da448568733c103b83e9129a8fcb605544edef632d578d309645e749bf727dcbc6319b0789e115f0764a5125101092144dad39386935e81bc41
SSDEEP

12288:h1OgLdaOg+f65f+YOfY0bU5phYwX6nK3LbbSLkUGL:h1OYdaOg+C5fz+YRUwXV3Lbu4DL

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1912	qQPqLdNTz63XJiQ.exe

Loads dropped DLL 1 IoCs

pid	Process
1904	1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol\142\manifest.json	qQPqLdNTz63XJiQ.exe
File created	C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol\142\manifest.json	qQPqLdNTz63XJiQ.exe
File created	C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbfehkoinhhcknnbdgnnmjhiladcgbol\142\manifest.json	qQPqLdNTz63XJiQ.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1912	1904	1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe	27
PID 1904 wrote to memory of 1912	1904	1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe	27
PID 1904 wrote to memory of 1912	1904	1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe	27
PID 1904 wrote to memory of 1912	1904	1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe	27

C:\Users\Admin\AppData\Local\Temp\1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe
"C:\Users\Admin\AppData\Local\Temp\1b8e5ffa24aacacb887ec486ad31486589472253b5de6278c19c06e9daffc53a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\qQPqLdNTz63XJiQ.exe
  .\qQPqLdNTz63XJiQ.exe
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\lbfehkoinhhcknnbdgnnmjhiladcgbol\W.js

Filesize
6KB

MD5
09a1ea73a963ed970dbff36ef4806414

SHA1
f7d50ab339f6c2938905542891a2214036d736bd

SHA256
b0d6e220797cc31c39107ab844a67a68e80ff0ccf54b512ff0a4bf725b54d5d8

SHA512
13ab43f0b635a28742745fd9a3313ef031a05dde3e0fb5e2c65933a9d4fe47ffd9ad04a36c86391362eb45c63d30795db56d525fec8d288e036dfd6f023b039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\lbfehkoinhhcknnbdgnnmjhiladcgbol\background.html

Filesize
138B

MD5
3026b0ad6d0afbb764a8a27343b3939f

SHA1
b5d2d5e95c175ec0f99064f9fec624dfdea9e5af

SHA256
78d4139b86a3b6d4120a2cc842b297836a7105e88e31c0024b70509d75a3e4fe

SHA512
5f41b806a9609f10cb74843e37df8f83a0ce3a4486bc6e7a290565f4e4f0332255c535066a804ab3446c033e5675cc39ea12d075c52ad862f3f91d4bb7c79cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\lbfehkoinhhcknnbdgnnmjhiladcgbol\content.js

Filesize
144B

MD5
fca19198fd8af21016a8b1dec7980002

SHA1
fd01a47d14004e17a625efe66cc46a06c786cf40

SHA256
332b00395bc23d4cb0bf6506b0fbb7e17d690ed41f91cf9b5d1c481cb1d3e82a

SHA512
60f4286b3818f996fab50c09b191fbc82ed1c73b2b98d00b088b5afbbc0368c01819bd3868bd3c6bcb2cd083b719e29c28209317c7411213a25f923cfc1f0e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\lbfehkoinhhcknnbdgnnmjhiladcgbol\lsdb.js

Filesize
531B

MD5
36d98318ab2b3b2585a30984db328afb

SHA1
f30b85fbe08e1d569ad49dfeafaf7cb2da6585a5

SHA256
ea2caf61817c6f7781ee049217e51c1083c8fc4f1e08e07792052dfdfa529ae7

SHA512
6f61ccda2eba18369409850b2c91c9817fc741755e29a1579646e3816e0deab80e34a5adb9ff865c773793d32ac338163a224dbf363b46420d6ea42a7bbb2b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\lbfehkoinhhcknnbdgnnmjhiladcgbol\manifest.json

Filesize
598B

MD5
ed6d4b645b514c39d696508801f63c96

SHA1
d753e98324d3777f21c0a13934431a95f2920571

SHA256
88d596d1a098d6909bc176bb765107a6e4fb20ca512eeff12ee6e345065e2ccc

SHA512
5af54b0b72c713db389a5a8e74a2754fc83d051778b0f4f8745bfd3c548398bf3571ed5154079e84c8e43a570cecaa46fe1002e7db3603222e583085949b3995

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\qQPqLdNTz63XJiQ.dat

Filesize
1KB

MD5
aacb69a9f3a35c71d000bce6e1df03c4

SHA1
3c02946b2e8416cf1db1f7e79f40661e3e9bf20b

SHA256
36d733752594d2e00368b1b396c34f83fea34238e5b63995148b2c33baef2193

SHA512
4ad26829675f96fb5fd6acdef05aeed9a3fe3edafb8f938d83ea333124430d07eb613b5219796822baceec70c5dcda85b54a1f74b0c6804b1b89bf47e551af69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\qQPqLdNTz63XJiQ.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6A29.tmp\qQPqLdNTz63XJiQ.exe

Filesize
623KB

MD5
3b3e9f85b1e1d1defb4813cb1676b553

SHA1
17a064e28b670d6d4e579ac078a81e7334704b58

SHA256
26fc2e717907241142895bb38734755ebb1ca82f1d23f48e09ec0d75cd4ad381

SHA512
0f7d3df630b73820490a0d767707c69f5cbb94265b67a202c6f652e601ba970d1257583cf6082aa9fea97b10e7c0a40d0ac3947599602964b14a492c7452da36

Download Submit
memory/1904-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing